Since 2004, a source for ranting, reviews and InfoSec news

Menu

Mal/Dropper-L

We had a couple viruses get past MessageLabs last night. That is not something I normally see. Both files were named lgame.zip and contained a single file lgame.exe. The subject of the message was “Hot Pictures.” Sunbelt Software’s analysis of this file is really good. You can view that online here.
The email messages were detected as a virus by the scanner on the mail server. It was detected as Mal/Dropper-L.
I plan to report this false negative to MessageLabs but their support has been very unresponsive to similar incidents. Their script requires me to save the infected message in a msg format, zip it and mail it to them. Because my mail server antivirus quarantined the attachment, it would be very difficult to reconstruct the original message.
I submitted to virustotal. Here are their results. (this is 7 hours after the files were originally sent).

File lgame.exe received on 08.13.2007 15:00:28 (CET)

Antivirus

Version

Last Update

Result

AhnLab-V3

2007.8.9.2

2007.08.13

–

AntiVir

7.4.0.60

2007.08.13

Worm/Ntech.D

Authentium

4.93.8

2007.08.11

–

Avast

4.7.1029.0

2007.08.13

Win32:Agent-JYG

AVG

7.5.0.476

2007.08.13

–

BitDefender

7.2

2007.08.13

DeepScan:Generic.PWS.Games.4.2D9F7732

CAT-QuickHeal

9.00

2007.08.13

–

ClamAV

0.91

2007.08.13

Trojan.Dropper-2099

DrWeb

4.33

2007.08.13

BackDoor.Bulknet

eSafe

7.0.15.0

2007.08.10

–

eTrust-Vet

31.1.5055

2007.08.13

Win32/Cutwail!generic

Ewido

4.0

2007.08.13

–

FileAdvisor

1

2007.08.13

–

Fortinet

2.91.0.0

2007.08.13

–

F-Prot

4.3.2.48

2007.08.10

–

F-Secure

6.70.13030.0

2007.08.13

Trojan-Downloader:W32/Agent.BRK

Ikarus

T3.1.1.12

2007.08.13

Trojan-Downloader.Win32.Agent.brk

Kaspersky

4.0.2.24

2007.08.13

Trojan-Downloader.Win32.Agent.brk

McAfee

5095

2007.08.10

–

Microsoft

1.2704

2007.08.13

–

NOD32v2

2455

2007.08.13

a variant of Win32/TrojanDownloader.Agent.BRK

Norman

5.80.02

2007.08.13

–

Panda

9.0.0.4

2007.08.12

–

Prevx1

V2

2007.08.13

–

Rising

19.36.02.00

2007.08.13

–

Sophos

4.20.0

2007.08.12

Mal/Dropper-L

Sunbelt

2.2.907.0

2007.08.11

–

Symantec

10

2007.08.13

Trojan.Pandex

TheHacker

6.1.8.167

2007.08.13

–

VBA32

3.12.2.2

2007.08.11

–

VirusBuster

4.3.26:9

2007.08.12

–

Webwasher-Gateway

6.0.1

2007.08.13

Worm.Ntech.D

Additional information

File size: 20992 bytes

MD5: dfade0d9b21be4fd57dd6975d9fe7ccd

SHA1: 31786e2b62ce7b79c9bed6bd0cfd9c01b3ef67e6

update: MessageLabs did realize they had let this through and sent us a list of messages to delete. Unfortunately they sent it to the lead contact (who was on vacation) rather than sending to all of us. Fortunately we’d already caught those messages.